diff --git a/.gitignore b/.gitignore index 98a4bf9..48f4fe1 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,4 @@ /icu4c-70_1-src.tgz /node-v18.2.0-stripped.tar.gz /icu4c-71_1-src.tgz +/node-v18.7.0-stripped.tar.gz diff --git a/0001-Disable-running-gyp-on-shared-deps.patch b/0001-Disable-running-gyp-on-shared-deps.patch index 778f8df..03590a1 100644 --- a/0001-Disable-running-gyp-on-shared-deps.patch +++ b/0001-Disable-running-gyp-on-shared-deps.patch @@ -1,4 +1,4 @@ -From 142fe30256f96e28b49f55d5c72e604719aaaad8 Mon Sep 17 00:00:00 2001 +From fe1e9d3f6d87416aa4cd8f8bee186d71a8ea2b0f Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Fri, 17 Apr 2020 12:59:44 +0200 Subject: [PATCH] Disable running gyp on shared deps @@ -10,30 +10,30 @@ Signed-off-by: rpm-build 2 files changed, 1 insertion(+), 18 deletions(-) diff --git a/Makefile b/Makefile -index 4aace77..0bad864 100644 +index e0d756f..c90bfa7 100644 --- a/Makefile +++ b/Makefile @@ -147,7 +147,7 @@ with-code-cache test-code-cache: - $(warning '$@' target is a noop) - + $(warning '$@' target is a noop) + out/Makefile: config.gypi common.gypi node.gyp \ - deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \ + deps/llhttp/llhttp.gyp \ - tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ - tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp - $(PYTHON) tools/gyp_node.py -f make + tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ + tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp + $(PYTHON) tools/gyp_node.py -f make diff --git a/node.gyp b/node.gyp -index 86fe9a6..bfa5093 100644 +index 6b3a6d9..5882cef 100644 --- a/node.gyp +++ b/node.gyp -@@ -449,23 +449,6 @@ +@@ -429,23 +429,6 @@ ], }, ], - }, { - 'variables': { - 'opensslconfig_internal': '<(obj_dir)/deps/openssl/openssl.cnf', -- 'opensslconfig': './deps/openssl/openssl/apps/openssl.cnf', +- 'opensslconfig': './deps/openssl/nodejs-openssl.cnf', - }, - 'actions': [ - { @@ -42,14 +42,14 @@ index 86fe9a6..bfa5093 100644 - 'outputs': [ '<(opensslconfig_internal)', ], - 'action': [ - 'python', 'tools/copyfile.py', -- './deps/openssl/openssl/apps/openssl.cnf', -- '<(obj_dir)/deps/openssl/openssl.cnf', +- '<(opensslconfig)', +- '<(opensslconfig_internal)', - ], - }, - ], }], ], }, # node_core_target_name --- +-- 2.36.1 diff --git a/nodejs.spec b/nodejs.spec index 0d3a0d6..ef48b44 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -1,11 +1,3 @@ -%global with_debug 0 - -# PowerPC, s390x and aarch64 segfault during Debug builds -# https://github.com/nodejs/node/issues/20642 -%ifarch %{power64} s390x aarch64 -%global with_debug 0 -%endif - # The following macros control the usage of dependencies bundled from upstream. # # When to use what: @@ -17,7 +9,7 @@ # # create bootstrapping build with bundled deps and extra release suffix %bcond_with bootstrap -# bundle dependencies that are not available as Fedora modules +# bundle dependencies that are not available in CentOS %if %{with bootstrap} %bcond_without bundled %else @@ -37,7 +29,7 @@ # This is used by both the nodejs package and the npm subpackage that # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 2 +%global baserelease 1 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -48,7 +40,7 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 18 -%global nodejs_minor 2 +%global nodejs_minor 7 %global nodejs_patch 0 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h @@ -63,9 +55,9 @@ # Epoch is set to ensure clean upgrades from the old v8 package %global v8_epoch 2 %global v8_major 10 -%global v8_minor 1 -%global v8_build 124 -%global v8_patch 8 +%global v8_minor 2 +%global v8_build 154 +%global v8_patch 13 # V8 presently breaks ABI at least every x.y release while never bumping SONAME %global v8_abi %{v8_major}.%{v8_minor} %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch} @@ -73,28 +65,16 @@ # c-ares - from deps/cares/include/ares_version.h # https://github.com/nodejs/node/pull/9332 -%global c_ares_major 1 -%global c_ares_minor 18 -%global c_ares_patch 1 -%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch} +%global c_ares_version 1.18.1 # llhttp - from deps/llhttp/include/llhttp.h -%global llhttp_major 6 -%global llhttp_minor 0 -%global llhttp_patch 6 -%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch} +%global llhttp_version 6.0.7 # libuv - from deps/uv/include/uv/version.h -%global libuv_major 1 -%global libuv_minor 43 -%global libuv_patch 0 -%global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch} +%global libuv_version 1.43.0 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h -%global nghttp2_major 1 -%global nghttp2_minor 47 -%global nghttp2_patch 0 -%global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch} +%global nghttp2_version 1.47.0 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h %global nghttp3_major 0 @@ -133,29 +113,11 @@ # punycode - from lib/punycode.js # Note: this was merged into the mainline since 0.6.x # Note: this will be unmerged in an upcoming major release -%global punycode_major 2 -%global punycode_minor 1 -%global punycode_patch 0 -%global punycode_version %{punycode_major}.%{punycode_minor}.%{punycode_patch} +%global punycode_version 2.1.0 # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_major 8 -%global npm_minor 9 -%global npm_patch 0 -%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} - -# uvwasi - from deps/uvwasi/include/uvwasi.h -%global uvwasi_major 0 -%global uvwasi_minor 0 -%global uvwasi_patch 12 -%global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch} - -# histogram_c - assumed from timestamps -%global histogram_major 0 -%global histogram_minor 9 -%global histogram_patch 7 -%global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch} +%global npm_version 8.15.0 # In order to avoid needing to keep incrementing the release version for the # main package forever, we will just construct one for npm that is guaranteed @@ -163,8 +125,11 @@ # base npm version number is increasing. %global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release} -# Node.js 16.9.1 and later comes with an experimental package management tool -%global corepack_version 0.10.0 +# uvwasi - from deps/uvwasi/include/uvwasi.h +%global uvwasi_version 0.0.12 + +# histogram_c - assumed from timestamps +%global histogram_version 0.9.7 Name: nodejs Epoch: %{nodejs_epoch} @@ -196,10 +161,16 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch BuildRequires: make BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: python3-jinja2 +%if !%{with python3_fixup} +BuildRequires: python-unversioned-command +%endif BuildRequires: zlib-devel BuildRequires: brotli-devel BuildRequires: gcc >= 8.3.0 BuildRequires: gcc-c++ >= 8.3.0 +BuildRequires: jq # needed to generate bundled provides for npm dependencies # https://src.fedoraproject.org/rpms/nodejs/pull-request/2 # https://pagure.io/nodejs-packaging/pull-request/10 @@ -285,15 +256,9 @@ Provides: bundled(icu) = %{icu_version} # or there's no option to built it as a shared dependency, so we bundle them Provides: bundled(uvwasi) = %{uvwasi_version} Provides: bundled(histogram) = %{histogram_version} -Provides: bundled(corepack) = %{corepack_version} # Make sure we keep NPM up to date when we update Node.js -%if 0%{?rhel} < 8 -# EPEL doesn't support Recommends, so make it strict -Requires: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist} -%else Recommends: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist} -%endif %description Node.js is a platform built on Chrome's JavaScript runtime @@ -341,9 +306,7 @@ Release: %{npm_release}%{?dist} Obsoletes: npm < 0:3.5.4-6 Provides: npm = %{npm_epoch}:%{npm_version} Requires: nodejs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} -%if 0%{?fedora} || 0%{?rhel} >= 8 Recommends: nodejs-docs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} -%endif # Do not add epoch to the virtual NPM provides or it will break # the automatic dependency-generation script. @@ -375,6 +338,8 @@ The API documentation for the Node.js JavaScript runtime. # remove bundled dependencies that we aren't building rm -rf deps/zlib rm -rf deps/brotli +rm -rf deps/v8/third_party/jinja2 +rm -rf tools/inspector_protocol/jinja2 # Replace any instances of unversioned python' with python3 %if %{with python3_fixup} @@ -382,20 +347,19 @@ pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js") find . -type f -exec sed -i "s~/usr\/bin\/env python~/usr/bin/python3~" {} \; find . -type f -exec sed -i "s~/usr\/bin\/python\W~/usr/bin/python3~" {} \; sed -i "s~usr\/bin\/python2~usr\/bin\/python3~" ./deps/v8/tools/gen-inlining-tests.py -sed -i "s~usr\/bin\/python.*$~usr\/bin\/python3~" ./deps/v8/tools/mb/mb_unittest.py +sed -i "s~usr\/bin\/python.*$~usr\/bin\/python3~" ./deps/v8/tools/mb/mb_test.py find . -type f -exec sed -i "s~python -c~python3 -c~" {} \; %endif %build - %ifarch s390 s390x %{arm} %ix86 # Decrease debuginfo verbosity to reduce memory consumption during final # library linking %global optflags %(echo %{optflags} | sed 's/-g /-g1 /') %endif -export CC='gcc' -export CXX='g++' +export CC='%{__cc}' +export CXX='%{__cxx}' %{?with_python3_fixup:export NODE_GYP_FORCE_PYTHON=%{__python3}} # build with debugging symbols and add defines from libuv (#892601) @@ -419,15 +383,11 @@ export LDFLAGS="%{build_ldflags}" --with-dtrace \ --with-intl=small-icu \ --with-icu-default-data-dir=%{icudatadir} \ + --without-corepack \ --openssl-use-def-ca-store \ --openssl-default-cipher-list=PROFILE=SYSTEM -%if %{?with_debug} == 1 -# Setting BUILDTYPE=Debug builds both release and debug binaries -make BUILDTYPE=Debug %{?_smp_mflags} -%else make BUILDTYPE=Release %{?_smp_mflags} -%endif # Extract the ICU data and convert it to the appropriate endianness pushd deps/ @@ -468,11 +428,6 @@ rm -rf %{buildroot} chmod 0755 %{buildroot}/%{_bindir}/node chrpath --delete %{buildroot}%{_bindir}/node -%if %{?with_debug} == 1 -# Install the debug binary and set its permissions -install -Dpm0755 out/Debug/node %{buildroot}/%{_bindir}/node_g -%endif - # own the sitelib directory mkdir -p %{buildroot}%{_prefix}/lib/node_modules @@ -530,11 +485,6 @@ find %{buildroot}%{_prefix}/lib/node_modules/npm \ chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js -# Corepack contains a number of executable"shims", including some for Windows -# PowerShell. Drop the executable bit for those so we don't pick up an -# automatic dependency on /usr/bin/pwsh that we cannot satisfy. -chmod -x %{buildroot}%{_prefix}/lib/node_modules/corepack/shims/*.ps1 - # Drop the NPM default configuration in place mkdir -p %{buildroot}%{_sysconfdir} cp %{SOURCE1} %{buildroot}%{_sysconfdir}/npmrc @@ -558,77 +508,12 @@ install -Dpm0644 -t %{buildroot}%{icudatadir} deps/icu/source/converted/* %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"punycode\").version, '%{punycode_version}')" # Ensure we have npm and that the version matches -# NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"npm\").version, '%{npm_version}')" NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(JSON.parse(require(\"fs\").readFileSync(\"%{buildroot}%{_prefix}/lib/node_modules/npm/package.json\")).version, '%{npm_version}')" # Make sure i18n support is working NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node --icu-data-dir=%{buildroot}%{icudatadir} %{SOURCE2} -%pretrans -n npm -p --- Remove all of the symlinks from the bundled npm node_modules directory --- This scriptlet can be removed in Fedora 31 -base_path = "%{_prefix}/lib/node_modules/npm/node_modules/" -d_st = posix.stat(base_path) -if d_st then - for f in posix.files(base_path) do - path = base_path..f - st = posix.stat(path) - if st and st.type == "link" then - os.remove(path) - end - end -end - --- Replace the npm docs directory with a symlink --- Drop this scriptlet when F31 is EOL -path = "%{_prefix}/lib/node_modules/npm/doc" -st = posix.stat(path) -if st and st.type == "directory" then - status = os.rename(path, path .. ".rpmmoved") - if not status then - suffix = 0 - while not status do - suffix = suffix + 1 - status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix) - end - os.rename(path, path .. ".rpmmoved") - end -end - --- Replace the npm docs directory with a symlink --- Drop this scriptlet when F31 is EOL -path = "%{_prefix}/lib/node_modules/npm/html" -st = posix.stat(path) -if st and st.type == "directory" then - status = os.rename(path, path .. ".rpmmoved") - if not status then - suffix = 0 - while not status do - suffix = suffix + 1 - status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix) - end - os.rename(path, path .. ".rpmmoved") - end -end - --- Replace the npm man directory with a symlink --- Drop this scriptlet when F31 is EOL -path = "%{_prefix}/lib/node_modules/npm/man" -st = posix.stat(path) -if st and st.type == "directory" then - status = os.rename(path, path .. ".rpmmoved") - if not status then - suffix = 0 - while not status do - suffix = suffix + 1 - status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix) - end - os.rename(path, path .. ".rpmmoved") - end -end - - %files %{_bindir}/node %dir %{_prefix}/lib/node_modules @@ -637,10 +522,6 @@ end %dir %{_datadir}/systemtap/tapset %{_datadir}/systemtap/tapset/node.stp -# corepack -%{_bindir}/corepack -%{_prefix}/lib/node_modules/corepack - %dir %{_usr}/lib/dtrace %{_usr}/lib/dtrace/node.d @@ -652,9 +533,6 @@ end %files devel -%if %{?with_debug} == 1 -%{_bindir}/node_g -%endif %{_includedir}/node %{_datadir}/node/common.gypi %{_pkgdocdir}/gdbinit @@ -682,8 +560,9 @@ end %doc %{_mandir}/man5/npm-shrinkwrap-json.5* %doc %{_mandir}/man7/config.7* %doc %{_mandir}/man7/developers.7* -%doc %{_mandir}/man7/orgs.7* %doc %{_mandir}/man7/logging.7* +%doc %{_mandir}/man7/orgs.7* +%doc %{_mandir}/man7/package-spec.7* %doc %{_mandir}/man7/registry.7* %doc %{_mandir}/man7/removal.7* %doc %{_mandir}/man7/scope.7* @@ -699,6 +578,12 @@ end %changelog +* Mon Aug 08 2022 Zuzana Svetlikova - 1:18.7.0-1 +- Update to latest release +- Resolves CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215 +- Resolves CVE-2022-29244 +- Resolves: RHBZ#2111009 + * Mon Jun 20 2022 Zuzana Svetlikova - 1:18.2.0-2 - Disable LTO - Related: #1990096 diff --git a/sources b/sources index 6b5cd21..521edff 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (node-v18.2.0-stripped.tar.gz) = c51881ae16d950a8a9f3e123b8901937b0152e81128a51645cdc07408a076cc4212883a408b3e88de91bfa30d6d2dc327a1f7b842e4b78f62defb13d78d4d08b -SHA512 (icu4c-71_1-src.tgz) = 1fd2a20aef48369d1f06e2bb74584877b8ad0eb529320b976264ec2db87420bae242715795f372dbc513ea80047bc49077a064e78205cd5e8b33d746fd2a2912 +SHA512 (icu4c-70_1-src.tgz) = 0b26ae7207155cb65a8fdb25f7b2fa4431e74b12bccbed0884a17feaae3c96833d12451064dd152197fd6ea5fd3adfd95594284a463e66c82e0d860f645880c9 +SHA512 (node-v18.7.0-stripped.tar.gz) = 710c3ab1e8417bcda55ab7aa74b9c54367d899f8a039cff3d6644d3d15fae98ce257e1632f997ad2f67132b17fc585c1e1de0f570add6ffb7e5d6b5405e1bb29